Re: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation
On Mon, 2011-06-13 at 23:37 -0400, Simo Sorce wrote: > On Mon, 2011-06-13 at 23:28 -0400, Rob Crittenden wrote: > > Endi Sukma Dewata wrote: > > > On 6/13/2011 6:00 PM, Rob Crittenden wrote: > > >> Endi Sukma Dewata wrote: > > >>> On 6/13/2011 2:45 PM, Rob Crittenden wrote: > > Indirect membership is calculated by looking at each member and pulling > > all the memberof out of it. What was missing was doing nested searches > > on any members in that member group. > > > > So if group2 was a member of group1 and group3 was a member of > > group2 we > > would miss group3 as being an indirect member of group1. > > > > I updated the nesting test to do deeper nested testing. I confirmed > > that > > this test failed with the old code and works with the new. > > > > ticket https://fedorahosted.org/freeipa/ticket/1273 > > >>> > > >>> NACK. If a user is an indirect member of a group via 2 different paths, > > >>> the user will be listed twice. Here is a test scenario: > > >>> > > >>> Group 1 has 2 members: group 2 and group 3. > > >>> User X is a member of both group 2 and group 3. > > >>> Group 1's indirect members should only list the user X once. Currently > > >>> it is listed twice. > > >> > > >> Patch and test case updated. > > > > > > NACK. If there's a circular membership the code will run into an > > > infinite loop. Here's a test scenario: > > > > > > Group 1 has 2 members: group 2 and group 3. > > > Group 2 is a member of group 3. > > > Group 3 is a member of group 2. > > > Run ipa group-show on group 1, the command doesn't return until it's > > > killed. > > > > > > > I think the solution will be to deny creating circular groups. > > Although it would be nice to avoid creating circular groups as they are > pointless we really can't assume we can prevent that. In a multi-master > scenario it is possible that 2 admins operating on 2 different masters > will end up creating a circular group dependency. Even though on each > master they will not be, until replication takes place. > > So we MUST (capital as in RFCs) deal with circular groups in the UI and > framework. Entering infinite loops is not an option, use a max-recursion > limit if detecting circular deps is too hard. > If you set the max-recursion limit high enough you will still operate > properly in most scenarios with complex memberships w/o side effects. > > Simo. > IIRC the algorithms for circular groups processing are already implemented in SSSD, so we don't have to reinvent the wheel and let us get some inspiration there :-) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation
On Mon, 2011-06-13 at 23:28 -0400, Rob Crittenden wrote: > Endi Sukma Dewata wrote: > > On 6/13/2011 6:00 PM, Rob Crittenden wrote: > >> Endi Sukma Dewata wrote: > >>> On 6/13/2011 2:45 PM, Rob Crittenden wrote: > Indirect membership is calculated by looking at each member and pulling > all the memberof out of it. What was missing was doing nested searches > on any members in that member group. > > So if group2 was a member of group1 and group3 was a member of > group2 we > would miss group3 as being an indirect member of group1. > > I updated the nesting test to do deeper nested testing. I confirmed > that > this test failed with the old code and works with the new. > > ticket https://fedorahosted.org/freeipa/ticket/1273 > >>> > >>> NACK. If a user is an indirect member of a group via 2 different paths, > >>> the user will be listed twice. Here is a test scenario: > >>> > >>> Group 1 has 2 members: group 2 and group 3. > >>> User X is a member of both group 2 and group 3. > >>> Group 1's indirect members should only list the user X once. Currently > >>> it is listed twice. > >> > >> Patch and test case updated. > > > > NACK. If there's a circular membership the code will run into an > > infinite loop. Here's a test scenario: > > > > Group 1 has 2 members: group 2 and group 3. > > Group 2 is a member of group 3. > > Group 3 is a member of group 2. > > Run ipa group-show on group 1, the command doesn't return until it's > > killed. > > > > I think the solution will be to deny creating circular groups. Although it would be nice to avoid creating circular groups as they are pointless we really can't assume we can prevent that. In a multi-master scenario it is possible that 2 admins operating on 2 different masters will end up creating a circular group dependency. Even though on each master they will not be, until replication takes place. So we MUST (capital as in RFCs) deal with circular groups in the UI and framework. Entering infinite loops is not an option, use a max-recursion limit if detecting circular deps is too hard. If you set the max-recursion limit high enough you will still operate properly in most scenarios with complex memberships w/o side effects. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation
Endi Sukma Dewata wrote: On 6/13/2011 6:00 PM, Rob Crittenden wrote: Endi Sukma Dewata wrote: On 6/13/2011 2:45 PM, Rob Crittenden wrote: Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. ticket https://fedorahosted.org/freeipa/ticket/1273 NACK. If a user is an indirect member of a group via 2 different paths, the user will be listed twice. Here is a test scenario: Group 1 has 2 members: group 2 and group 3. User X is a member of both group 2 and group 3. Group 1's indirect members should only list the user X once. Currently it is listed twice. Patch and test case updated. NACK. If there's a circular membership the code will run into an infinite loop. Here's a test scenario: Group 1 has 2 members: group 2 and group 3. Group 2 is a member of group 3. Group 3 is a member of group 2. Run ipa group-show on group 1, the command doesn't return until it's killed. I think the solution will be to deny creating circular groups. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 176 Fixed tab navigation.
On 06/13/2011 07:28 PM, Endi Sukma Dewata wrote: The buttons were previously skipped during tab navigation because they do not have an href attribute. The IPA.button has been fixed to always provide an href attribute. Ticket #983 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation
On 6/13/2011 6:00 PM, Rob Crittenden wrote: Endi Sukma Dewata wrote: On 6/13/2011 2:45 PM, Rob Crittenden wrote: Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. ticket https://fedorahosted.org/freeipa/ticket/1273 NACK. If a user is an indirect member of a group via 2 different paths, the user will be listed twice. Here is a test scenario: Group 1 has 2 members: group 2 and group 3. User X is a member of both group 2 and group 3. Group 1's indirect members should only list the user X once. Currently it is listed twice. Patch and test case updated. NACK. If there's a circular membership the code will run into an infinite loop. Here's a test scenario: Group 1 has 2 members: group 2 and group 3. Group 2 is a member of group 3. Group 3 is a member of group 2. Run ipa group-show on group 1, the command doesn't return until it's killed. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 176 Fixed tab navigation.
The buttons were previously skipped during tab navigation because they do not have an href attribute. The IPA.button has been fixed to always provide an href attribute. Ticket #983 -- Endi S. Dewata From 13a15e6de3ef904f33fd3ba8611f5d9bebd656aa Mon Sep 17 00:00:00 2001 From: Endi S. Dewata Date: Mon, 13 Jun 2011 18:12:11 -0500 Subject: [PATCH] Fixed tab navigation. The buttons were previously skipped during tab navigation because they do not have an href attribute. The IPA.button has been fixed to always provide an href attribute. Ticket #983 --- install/ui/details.js |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/install/ui/details.js b/install/ui/details.js index 7fa72eff5963ea98233fda7707af7e877ca902d9..f5a3e4d80fec40da6e8a55704461a12d46647a0e 100644 --- a/install/ui/details.js +++ b/install/ui/details.js @@ -673,6 +673,8 @@ IPA.button = function(spec) { var button = $('', { id: spec.id, +name: spec.name, +href: spec.href || '#' + (spec.name || 'button'), html: spec.label, title: spec.title || spec.label, 'class': 'ui-state-default ui-corner-all', -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation
Endi Sukma Dewata wrote: On 6/13/2011 2:45 PM, Rob Crittenden wrote: Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. ticket https://fedorahosted.org/freeipa/ticket/1273 NACK. If a user is an indirect member of a group via 2 different paths, the user will be listed twice. Here is a test scenario: Group 1 has 2 members: group 2 and group 3. User X is a member of both group 2 and group 3. Group 1's indirect members should only list the user X once. Currently it is listed twice. Patch and test case updated. rob >From 8f9b36c40ffa5bf75fd8baba5f2185f940182607 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 13 Jun 2011 14:54:42 -0400 Subject: [PATCH] Fix indirect member calculation Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. This also prevents duplicate indirect users. ticket https://fedorahosted.org/freeipa/ticket/1273 --- ipaserver/plugins/ldap2.py| 24 ++- tests/test_xmlrpc/test_nesting.py | 293 - 2 files changed, 270 insertions(+), 47 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index b0a5c2c..a0b03c1 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -943,14 +943,20 @@ class ldap2(CrudBackend, Encoder): # Verify group membership results = [] -for member in members: -try: -(result, truncated) = self.find_entries(searchfilter, attr_list, -member, time_limit=time_limit, -size_limit=size_limit, normalize=normalize) -results.append(list(result[0])) -except errors.NotFound: -pass +if membertype == MEMBERS_ALL or membertype == MEMBERS_INDIRECT: +checkmembers = copy.deepcopy(members) +for member in checkmembers: +try: +(result, truncated) = self.find_entries(searchfilter, +attr_list, member, time_limit=time_limit, +size_limit=size_limit, normalize=normalize) +results.append(list(result[0])) +for m in result[0][1].get('member', []): +# This member may contain other members, add it to our +# candidate list +checkmembers.append(m) +except errors.NotFound: +pass if membertype == MEMBERS_ALL: entries = [] @@ -969,7 +975,7 @@ class ldap2(CrudBackend, Encoder): entries = [] for e in results: -if unicode(e[0]) not in real_members: +if unicode(e[0]) not in real_members and unicode(e[0]) not in entries: if membertype == MEMBERS_INDIRECT: entries.append(e[0]) else: diff --git a/tests/test_xmlrpc/test_nesting.py b/tests/test_xmlrpc/test_nesting.py index a7e6cb8..5418628 100644 --- a/tests/test_xmlrpc/test_nesting.py +++ b/tests/test_xmlrpc/test_nesting.py @@ -27,8 +27,11 @@ from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid group1 = u'testgroup1' group2 = u'testgroup2' group3 = u'testgroup3' +group4 = u'testgroup4' user1 = u'tuser1' user2 = u'tuser2' +user3 = u'tuser3' +user4 = u'tuser4' hostgroup1 = u'testhostgroup1' hgdn1 = u'cn=%s,cn=hostgroups,cn=accounts,%s' % (hostgroup1, api.env.basedn) @@ -44,8 +47,11 @@ class test_nesting(Declarative): ('group_del', [group1], {}), ('group_del', [group2], {}), ('group_del', [group3], {}), +('group_del', [group4], {}), ('user_del', [user1], {}), ('user_del', [user2], {}), +('user_del', [user3], {}), +('user_del', [user4], {}), ('host_del', [fqdn1], {}), ('hostgroup_del', [hostgroup1], {}), ('hostgroup_del', [hostgroup2], {}), @@ -119,6 +125,26 @@ class test_nesting(Declarative): dict( +desc='Create %r' % group4, +command=( +'group_add', [group4], dict(description=u'Test desc 4') +), +expected=dict( +value=group4, +summary=u'Added group "tes
Re: [Freeipa-devel] [PATCH] 798 Fix indirect member calculation
On 6/13/2011 2:45 PM, Rob Crittenden wrote: Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. ticket https://fedorahosted.org/freeipa/ticket/1273 NACK. If a user is an indirect member of a group via 2 different paths, the user will be listed twice. Here is a test scenario: Group 1 has 2 members: group 2 and group 3. User X is a member of both group 2 and group 3. Group 1's indirect members should only list the user X once. Currently it is listed twice. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 800 remove extra call to version-update
Remove extra call to version-update in spec file. We had reports that the build would fail here when running with many jobs. ticket https://fedorahosted.org/freeipa/ticket/1215 rob >From ed2a8b25374fbb3d25ab4556e4bb323ef6ed4ef1 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 13 Jun 2011 17:15:14 -0400 Subject: [PATCH] Remove extraneous version-update make target in spec file. On some systems when running with many jobs other targets would be compiled before version-update was complete causing the build to fail. https://fedorahosted.org/freeipa/ticket/1215 --- freeipa.spec.in |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 64d3049..6f6af57 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -218,12 +218,12 @@ cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localst %endif %if ! %{ONLY_CLIENT} -make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} version-update all +make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all cd selinux # This isn't multi-process make capable yet make all %else -make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} version-update client +make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client %endif %install -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 799 The IP address provided to ipa-server-install must be local
Compare the configured interfaces with the supplied IP address and optional netmask to determine if the interface is available. Note the subtle change when comparing addresses. We have two object types, IPNetwork and IPAddress. We should only compare addresses when we don't have an IPNetwork otherwise we can end up comparing an address to an object with a netmask and get a bad result. https://fedorahosted.org/freeipa/ticket/1175 >From 3e1c740312585677d561fd66ed20322003086250 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 13 Jun 2011 16:37:40 -0400 Subject: [PATCH] The IP address provided to ipa-server-install must be local Compare the configured interfaces with the supplied IP address and optional netmask to determine if the interface is available. https://fedorahosted.org/freeipa/ticket/1175 --- ipapython/ipautil.py |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index ed8f04a..4995fe1 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -117,11 +117,14 @@ class CheckedIPAddress(netaddr.IPAddress): continue ifnet = netaddr.IPNetwork(fields[3]) -if ifnet == net or ifnet.ip == addr: +if ifnet == net or (net is None and ifnet.ip == addr): net = ifnet iface = fields[1] break +if iface is None: +raise ValueError('No network interface matches the provided IP address and netmask') + if net is None: defnet = True if addr.version == 4: -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 798 Fix indirect member calculation
Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. ticket https://fedorahosted.org/freeipa/ticket/1273 rob >From d6e949a3b8febf6f151433d2dcf147ae85b18790 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 13 Jun 2011 14:54:42 -0400 Subject: [PATCH] Fix indirect member calculation Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. ticket https://fedorahosted.org/freeipa/ticket/1273 --- ipaserver/plugins/ldap2.py| 22 ++- tests/test_xmlrpc/test_nesting.py | 263 +++- 2 files changed, 240 insertions(+), 45 deletions(-) diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index b0a5c2c..7474e1e 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -943,14 +943,20 @@ class ldap2(CrudBackend, Encoder): # Verify group membership results = [] -for member in members: -try: -(result, truncated) = self.find_entries(searchfilter, attr_list, -member, time_limit=time_limit, -size_limit=size_limit, normalize=normalize) -results.append(list(result[0])) -except errors.NotFound: -pass +if membertype == MEMBERS_ALL or membertype == MEMBERS_INDIRECT: +checkmembers = copy.deepcopy(members) +for member in checkmembers: +try: +(result, truncated) = self.find_entries(searchfilter, +attr_list, member, time_limit=time_limit, +size_limit=size_limit, normalize=normalize) +results.append(list(result[0])) +for m in result[0][1].get('member', []): +# This member may contain other members, add it to our +# candidate list +checkmembers.append(m) +except errors.NotFound: +pass if membertype == MEMBERS_ALL: entries = [] diff --git a/tests/test_xmlrpc/test_nesting.py b/tests/test_xmlrpc/test_nesting.py index a7e6cb8..3e2d6ff 100644 --- a/tests/test_xmlrpc/test_nesting.py +++ b/tests/test_xmlrpc/test_nesting.py @@ -27,8 +27,11 @@ from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid group1 = u'testgroup1' group2 = u'testgroup2' group3 = u'testgroup3' +group4 = u'testgroup4' user1 = u'tuser1' user2 = u'tuser2' +user3 = u'tuser3' +user4 = u'tuser4' hostgroup1 = u'testhostgroup1' hgdn1 = u'cn=%s,cn=hostgroups,cn=accounts,%s' % (hostgroup1, api.env.basedn) @@ -44,8 +47,11 @@ class test_nesting(Declarative): ('group_del', [group1], {}), ('group_del', [group2], {}), ('group_del', [group3], {}), +('group_del', [group4], {}), ('user_del', [user1], {}), ('user_del', [user2], {}), +('user_del', [user3], {}), +('user_del', [user4], {}), ('host_del', [fqdn1], {}), ('hostgroup_del', [hostgroup1], {}), ('hostgroup_del', [hostgroup2], {}), @@ -119,6 +125,26 @@ class test_nesting(Declarative): dict( +desc='Create %r' % group4, +command=( +'group_add', [group4], dict(description=u'Test desc 4') +), +expected=dict( +value=group4, +summary=u'Added group "testgroup4"', +result=dict( +cn=[group4], +description=[u'Test desc 4'], +gidnumber=[fuzzy_digits], +objectclass=objectclasses.group + [u'posixgroup'], +ipauniqueid=[fuzzy_uuid], +dn=u'cn=testgroup4,cn=groups,cn=accounts,' + api.env.basedn, +), +), +), + + +dict( desc='Create %r' % user1, command=( 'user_add', [user1], dict(givenname=u'Test', sn=u'User1') @@ -176,37 +202,105 @@ class test_nesting(Declarative): ), +dict( +desc='Create %r' % user3, +command=( +'user_add', [user3], dict(givenname=u'Test', sn=u'User3') +
Re: [Freeipa-devel] [PATCH] 796 better detection of CA DS installation status
Martin Kosek wrote: On Fri, 2011-06-10 at 15:33 -0400, Rob Crittenden wrote: Do better detection on status of CA DS instance when installing. The conditional used to determine if thd CA 389-ds instance was already configured was rather poor so it was possible to pass command-line arguments in to confuse it. This would cause it to not be installed at all causing the dogtag installation to fail in a strange way. https://fedorahosted.org/freeipa/ticket/1244 rob ACK, works for me. It would be better if we could detect these situations in option parsing phase, but its true that this particular problem is difficult to detect. Martin pushed to master and ipa-2-0 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 30 Display remaining external hosts when removing from sudorule
This small 2 line patch addresses 2 bugs: https://fedorahosted.org/freeipa/ticket/1269 - (Remaining external hosts not displayed while removing one from a sudorule.) https://fedorahosted.org/freeipa/ticket/1270 - (Removed external host is displayed in the output when "--all" switch is used) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Fwd: Re: User Groups
Dmitri Pal wrote: On 06/13/2011 11:45 AM, Adam Young wrote: Dmitri, is this solution acceptable? Should it be "direct" - "indirect" - "all"? What is the use case? IMO the main use cases are direct - who is the direct member of this group, and all - whom this group will affect if I use it in a policy. Indirect is a corner case. Well, indirect can become a bit of a rat hole too because then you start asking questions like "ok, how is this object" a member and you want to be able to drill down into things. I'm sure it becomes even more interesting when an object is an indirect member due to multiple other memberships. rob Original Message Subject:Re: User Groups Date: Mon, 13 Jun 2011 11:39:46 -0400 (EDT) From: Kyle Baker To: Adam Young CC: Endi Sukma Dewata Attached the image. Kyle Baker Visual Designer Desk - 978 392 3116 IRC - kylebaker - Original Message - > On 06/13/2011 09:55 AM, Kyle Baker wrote: > > > > Kyle Baker > > Visual Designer > > Desk - 978 392 3116 > > IRC - kylebaker > > > > - Original Message - > >> I don't think it is at the right level of the heirarchy. > >> Probably > >> better > >> for us to find a way to munge direct and indirect into the same > >> facet. > > Maybe a checkbox in the facet content to show the indirect > > items? > >>> I like this solution the best. I think it is the simplest and > >>> clearest way to digest the information. Could we have a checkbox > >>> for > >>> direct also, if the user just wants to see indirect enrollment? > >> So we would show both in the same table, but only if the > >> appropriate > >> checkbox is selected? > > Right. I will send a mock up. > > No need, I get the concept. Thing is , I am not sure that it makes > sense overall. It munges together two concepts that the CLI keeps > separate, and I don't think we want to do that. I'd be ok with > "either/or". > > Can we just show them both? maybe two tables on the page, left to > right, with direct on the left and indirect on the right? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Fwd: Re: User Groups
On 06/13/2011 11:45 AM, Adam Young wrote: > Dmitri, is this solution acceptable? > Should it be "direct" - "indirect" - "all"? What is the use case? IMO the main use cases are direct - who is the direct member of this group, and all - whom this group will affect if I use it in a policy. Indirect is a corner case. > > > Original Message > Subject: Re: User Groups > Date: Mon, 13 Jun 2011 11:39:46 -0400 (EDT) > From: Kyle Baker > To: Adam Young > CC: Endi Sukma Dewata > > > > Attached the image. > > Kyle Baker > Visual Designer > Desk - 978 392 3116 > IRC - kylebaker > > - Original Message - > > On 06/13/2011 09:55 AM, Kyle Baker wrote: > > > > > > Kyle Baker > > > Visual Designer > > > Desk - 978 392 3116 > > > IRC - kylebaker > > > > > > - Original Message - > > >> I don't think it is at the right level of the heirarchy. > > >> Probably > > >> better > > >> for us to find a way to munge direct and indirect into the same > > >> facet. > > > Maybe a checkbox in the facet content to show the indirect > > > items? > > >>> I like this solution the best. I think it is the simplest and > > >>> clearest way to digest the information. Could we have a checkbox > > >>> for > > >>> direct also, if the user just wants to see indirect enrollment? > > >> So we would show both in the same table, but only if the > > >> appropriate > > >> checkbox is selected? > > > Right. I will send a mock up. > > > > No need, I get the concept. Thing is , I am not sure that it makes > > sense overall. It munges together two concepts that the CLI keeps > > separate, and I don't think we want to do that. I'd be ok with > > "either/or". > > > > Can we just show them both? maybe two tables on the page, left to > > right, with direct on the left and indirect on the right? > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 175 Entitlement status.
On 06/09/2011 07:36 PM, Endi Sukma Dewata wrote: A new facet has been added to show entitlement status and download the registration certificate. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 174 Added selectable option for table widget.
On 06/09/2011 07:03 PM, Endi Sukma Dewata wrote: A selectable option has been added to the table widget to show/hide the checkbox column for selecting table rows. By default it's set to true. The indirect association facet has been modified to hide the column because it is non-editable. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 173 Fixed resizing issues.
On 06/10/2011 03:21 PM, Endi Sukma Dewata wrote: On 6/9/2011 5:01 PM, Endi Sukma Dewata wrote: The UI has been modified to fix some resizing issues: Previously the size of scrollable facet content was roughly calculated using resize(). Now the size can be more accurately defined in CSS. Previously the UI width was fixed. The HTML layout and background images have been modified to support horizontal expansion. Demo is available here: http://edewata.fedorapeople.org/freeipa/install/ui/index.html Attached is an updated patch based on Kyle and Adam's feedback. The width has been set back to a fixed value, but the underlying code still supports horizontal resizing in case it's needed in the future. The min height has been removed. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 080 Add a list of managed hosts
Enhance Host plugin to provide not only "Managed By" list but also a list of managed hosts. The new list is generated only when --all option is passed. https://fedorahosted.org/freeipa/ticket/993 >From 77a3fbf07ab7e2e60ae442632c6be1cd8f9eee4a Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Mon, 13 Jun 2011 16:23:09 +0200 Subject: [PATCH] Add a list of managed hosts Enhance Host plugin to provide not only "Managed By" list but also a list of managed hosts. The new list is generated only when --all option is passed. https://fedorahosted.org/freeipa/ticket/993 --- ipalib/plugins/host.py | 36 1 files changed, 36 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index a602df4d13757f06a7e7ccce3213e068f752ed35..29f659f9c7aa09267957853b6e801e59495e2c1f 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -158,6 +158,9 @@ host_output_params = ( Str('managedby_host', label='Managed by', ), +Str('managing_host', +label='Managing', +), Str('subject', label=_('Subject'), ), @@ -216,6 +219,7 @@ class host(LDAPObject): 'enrolledby': ['user'], 'memberof': ['hostgroup', 'netgroup', 'role', 'hbacrule', 'sudorule'], 'managedby': ['host'], +'managing': ['host'], 'memberofindirect': ['hostgroup', 'netgroup', 'role', 'hbacrule', 'sudorule'], } @@ -224,6 +228,7 @@ class host(LDAPObject): 'memberof': ('Member Of', 'in_', 'not_in_'), 'enrolledby': ('Enrolled by', 'enroll_by_', 'not_enroll_by_'), 'managedby': ('Managed by', 'man_by_', 'not_man_by_'), +'managing': ('Managing', 'man_', 'not_man_'), } label = _('Hosts') @@ -302,6 +307,23 @@ class host(LDAPObject): pass return dn +def get_managed_hosts(self, dn): +host_filter = 'managedBy=%s' % dn +host_attrs = ['fqdn'] +ldap = self.api.Backend.ldap2 +managed_hosts = [] + +try: +(hosts, truncated) = ldap.find_entries(base_dn=self.container_dn, +filter=host_filter, attrs_list=host_attrs) + +for host in hosts: +managed_hosts.append(host[0]) +except errors.NotFound: +return [] + +return managed_hosts + api.register(host) @@ -416,6 +438,10 @@ class host_add(LDAPCreate): reason=_('The host was added but the DNS update failed with: %(exc)s') % dict(exc=exc) ) set_certificate_attrs(entry_attrs) + +if options.get('all', False): +entry_attrs['managing'] = self.obj.get_managed_hosts(dn) + return dn api.register(host_add) @@ -611,6 +637,10 @@ class host_mod(LDAPUpdate): if options.get('random', False): entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword')) set_certificate_attrs(entry_attrs) + +if options.get('all', False): +entry_attrs['managing'] = self.obj.get_managed_hosts(dn) + return dn api.register(host_mod) @@ -638,6 +668,9 @@ class host_find(LDAPSearch): entry_attrs = entry[1] set_certificate_attrs(entry_attrs) +if options.get('all', False): +entry_attrs['managing'] = self.obj.get_managed_hosts(entry[0]) + api.register(host_find) @@ -664,6 +697,9 @@ class host_show(LDAPRetrieve): set_certificate_attrs(entry_attrs) +if options.get('all', False): +entry_attrs['managing'] = self.obj.get_managed_hosts(dn) + return dn def forward(self, *keys, **options): -- 1.7.5.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] JSON-marshalling-list
On 06/13/2011 07:14 AM, Martin Kosek wrote: On Fri, 2011-06-10 at 14:41 -0400, Adam Young wrote: Pushed under the one line rule Does this bug affect also the "old" IPA 2.0 WebUI? In that case I think this patch should be pushed to branch ipa-2-0 as well. Martin Haven't tested it. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] JSON-marshalling-list
On Fri, 2011-06-10 at 14:41 -0400, Adam Young wrote: > Pushed under the one line rule Does this bug affect also the "old" IPA 2.0 WebUI? In that case I think this patch should be pushed to branch ipa-2-0 as well. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 21 Fix directory manager password validation in ipa-nis-manage
On Mon, 2011-06-13 at 12:32 +0200, Jan Cholasta wrote: > On 9.6.2011 14:50, Martin Kosek wrote: > > On Wed, 2011-06-08 at 15:21 +0200, Jan Cholasta wrote: > >> https://fedorahosted.org/freeipa/ticket/1283 > >> https://fedorahosted.org/freeipa/ticket/1284 > >> > >> Honza > > > > Patch works fine, but I'd like to improve code quality a bit. Please > > don't call sys.exit() from get_dirman_password(). It doesn't make really > > sense. > > > > I suggest just returning None in that case and then exiting in the main > > function. Or raising a proper exception and then exiting in the main > > function. The get_dirman_password() function can then be later reused > > easily. > > Good point. Fixed. ACK. Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 797 fix re-initializing replica binding using GSSAPI
On Fri, 2011-06-10 at 16:32 -0400, Rob Crittenden wrote: > Support initializing memberof during replication re-init using GSSAPI > > The last step of a replication re-initiailization is to run the memberof > task. The current function would only authenticate using simple auth to > monitor the task but we may be doing this using admin GSSAPI credentials > so support that type of bind as well. > > In short this fixes: > > # kinit admin > # ipa-replica-manage re-initialize --from=master.example.com > > https://fedorahosted.org/freeipa/ticket/1248 > > rob ACK, works like a charm. Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 21 Fix directory manager password validation in ipa-nis-manage
On 9.6.2011 14:50, Martin Kosek wrote: On Wed, 2011-06-08 at 15:21 +0200, Jan Cholasta wrote: https://fedorahosted.org/freeipa/ticket/1283 https://fedorahosted.org/freeipa/ticket/1284 Honza Patch works fine, but I'd like to improve code quality a bit. Please don't call sys.exit() from get_dirman_password(). It doesn't make really sense. I suggest just returning None in that case and then exiting in the main function. Or raising a proper exception and then exiting in the main function. The get_dirman_password() function can then be later reused easily. Good point. Fixed. Martin Honza -- Jan Cholasta >From 16f29e8bd15a7a7708a3983495440eb13ff5ca61 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 8 Jun 2011 14:39:50 +0200 Subject: [PATCH] Fix directory manager password validation in ipa-nis-manage. ticket 1283, 1284 --- install/tools/ipa-nis-manage | 10 -- ipaserver/install/installutils.py |6 +- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage index 69db06a..2c0936b 100755 --- a/install/tools/ipa-nis-manage +++ b/install/tools/ipa-nis-manage @@ -62,7 +62,7 @@ def get_dirman_password(): """Prompt the user for the Directory Manager password and verify its correctness. """ -password = installutils.read_password("Directory Manager", confirm=False, validate=False) +password = installutils.read_password("Directory Manager", confirm=False, validate=False, retry=False) return password @@ -101,11 +101,17 @@ def main(): dirman_password = "" if options.password: -pw = ipautil.template_file(options.password, []) +try: +pw = ipautil.template_file(options.password, []) +except IOError: +sys.exit("File \"%s\" not found or not readable" % options.password) dirman_password = pw.strip() else: dirman_password = get_dirman_password() +if not dirman_password: +sys.exit("No password supplied") + api.bootstrap(context='cli', debug=options.debug) api.finalize() diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index d99af37..3f883d0 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -287,15 +287,18 @@ def get_password(prompt): else: return sys.stdin.readline().rstrip() -def read_password(user, confirm=True, validate=True): +def read_password(user, confirm=True, validate=True, retry=True): correct = False pwd = "" while not correct: +if not retry: +correct = True pwd = get_password(user + " password: ") if not pwd: continue if validate and len(pwd) < 8: print "Password must be at least 8 characters long" +pwd = "" continue if not confirm: correct = True @@ -304,6 +307,7 @@ def read_password(user, confirm=True, validate=True): if pwd != pwd_confirm: print "Password mismatch!" print "" +pwd = "" else: correct = True print "" -- 1.7.4.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 796 better detection of CA DS installation status
On Fri, 2011-06-10 at 15:33 -0400, Rob Crittenden wrote: > Do better detection on status of CA DS instance when installing. > > The conditional used to determine if thd CA 389-ds instance was already > configured was rather poor so it was possible to pass command-line > arguments in to confuse it. This would cause it to not be installed at > all causing the dogtag installation to fail in a strange way. > > https://fedorahosted.org/freeipa/ticket/1244 > > rob ACK, works for me. It would be better if we could detect these situations in option parsing phase, but its true that this particular problem is difficult to detect. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 795 Remove root autobind search restriction, fix upgrade logging & error handling.
On Fri, 2011-06-10 at 15:41 -0400, Rob Crittenden wrote: > Martin Kosek wrote: > > On Thu, 2011-06-09 at 16:32 -0400, Rob Crittenden wrote: > >> Rob Crittenden wrote: > >>> There was no point in limiting autobind root to just search cn=config > >>> since it could always just modify its way out of the box, so remove the > >>> restriction. > >>> > >>> The upgrade log wasn't being created. Clearing all other loggers before > >>> we calling logging.basicConfig() fixes this. > >>> > >>> Add a global exception when performing updates so we can gracefully > >>> catch and log problems without leaving the server in a bad state. > >>> > >>> https://fedorahosted.org/freeipa/ticket/1243 > >>> https://fedorahosted.org/freeipa/ticket/1254 > >>> > >>> rob > >> > >> This was leaving a bogus entry in systrestore.index and an empty value > >> in dse.ldif. I updated the patch. > >> > >> rob > > > > Autobind portion works fine. However, upgrade failure processing can be > > improved: > > > > 1) When Exception is catched in IPAUpgrade, it is neither logged nor > > printed out. This can make it difficult to debug. > > Yup, logging it now. > > > > > 2) User running `ipa-ldap-updater --upgrade` cannot tell if the upgrade > > was wrong. Success status code is returned by the program and no info > > that something has failed is given. > > Gah, I had a return 1 there at some point...Added back. > > rob ACK. Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel